Media

IDENTITY AND ACCESS MANAGEMENT POLICY

Executive Summary

The purpose of Kayndrexsphere’s Identity and Access Management Policy is to establish the requirements necessary to ensure that access to and application of Kayndrexsphere’s Data Base is managed in accordance with sphere requirements, information security, and other Kayndrexsphere’s policies and procedures.

Kayndrexsphere’s Identity and Access Management Policy applies to individuals who are responsible for managing Kayndrexsphere’s Data Base access, and those granted access privileges, including special access privileges, to any Kayndrexsphere data resource.


Policy

Access Control

  • Access to Kayndrexsphere’s Data Base shall be justified by a legitimate sphere requirement prior to approval.
  • Where multi-factor authentication is employed, applicant identification shall be verified in person before access is granted.
  • Kayndrexsphere’s Data Base shall have a corresponding ownership responsibility identified and documented.
  • Access to confidential information is based on a ‘need to know.’
  • Confidential data access shall be logged.
  • Access to the Kayndrexsphere’s interface shall include a secure log-on procedure.
  • Offices and systems shall impose an automatic freeze after a pre-determined period of inactivity.
  • Documented operator access rights and privileges to Kayndrexsphere’s Data Base shall be included in recovery plans, whenever such data is excluded in reinforcements.

Account Management

  • All personnel and members shall appreciate Kayndrexsphere’s Privacy Policy and Terms and Conditions before access is continued to an account or Kayndrexsphere’s Data Base.
    • Personnel accounts shall be created by Human Resources
      • Individuals shall receive an account after appropriate state and federal employment requirements are fulfilled including a personal history check.
    • Member accounts shall be created following the admissions process
      • Firm records, investment applications, and communications with admissions staff over our investor relationship management facility shall confirm member’s identity prior to being admitted as a member. 
        • If identifiable information is inadequately provided, members shall show their government provided photo identification in person before being allowed to apply for any membership benefit.  
    • Members shall also have their ‘fee paid’ for enrolment prior to being given an account and allowed to register for programmes. 
  • All accounts created shall have an associated and documented request and approval in our source of record system. 
  • Segregation of duties shall exist among access request, access authorisation, and access administration.
  • Kayndrexsphere is responsible for the approval of all access requests.
  • Operator accounts and access rights for Kayndrexsphere’s Data Base shall be reviewed and reconciled annually, and actions shall be documented.
  • All accounts shall be uniquely identifiable applying the operator’s name assigned by Kayndrexsphere’s IT and include verification that redundant operator IDs are unapplied.
  • All accounts, including default accounts, shall have a password renewal and complexity that complies with Kayndrexsphere’s authentication standard.
  • Only the level of access required to perform authorised obligations shall be approved, following the concept of ‘nominal privilege.’
  • Whenever possible, access to Data Base should be granted to operator groups, rather than granted directly to individual accounts.
  • Shared accounts shall be inapplicable. Where shared accounts are required, their application shall be documented and approved by Kayndrexsphere.
  • Applicant account set up for third-party cloud computing applications applied for sharing, storing and/or transferring Kayndrexsphere’s confidential or internal information shall be approved by Kayndrexsphere and documented.
  • Upon operator role changes, access rights shall be modified in a timely manner to reflect the new role.
  • Creation of operator accounts and access right modifications shall be documented and/or logged.
  • Any accounts that have had no access within a defined period of time shall be disabled.
  • Accounts shall be disabled and/or deleted in a timely manner following employment termination, according to a documented personnel termination process.
  • System Administrators or other designated personnel:
    • Are responsible for modifying and/or removing the accounts of individuals who change roles with Kayndrexsphere or are separated from their relationship with Kayndrexsphere.
    • Shall have a documented process to modify an operator’s account to accommodate situations such as name changes, accounting changes, and permission changes.
    • Shall have a documented process for periodically reviewing existing accounts for validity.
    • Shall provide a list of accounts for the systems they administer when requested by authorised Kayndrexsphere IT management personnel.
    • Shall cooperate with authorised Kayndrexsphere Data Security personnel investigating security events at the direction of Kayndrexsphere’s executive management.

Administrator/Special Access

  • Administrative/Special access accounts shall have account management instructions, documentation, and authorisation.
  • Personnel with Administrative/Special access accounts shall refrain from mismanagement of privilege and shall only perform the duties required to complete their employment function.
  • Personnel with Administrative/Special access accounts shall apply the account privilege most appropriate with role being performed (i.e., applicant account vs. administrator account).
  • Shared Administrative/Special access accounts should only be applied when no other option exists.
  • The password for a shared Administrative/Special access account shall change when an individual with knowledge of the password changes roles, moves to another department or leaves Kayndrexsphere altogether.
  • In the circumstance where a system has only one administrator, there shall be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
  • Special access accounts for internal or external audit, software development, software installation, or other defined need, shall be administered according Kayndrexsphere’s authentication standard.

Authentication

  • Personnel are required to maintain the confidentiality of personal authentication information. 
  • Any group/shared authentication information shall be maintained solely among the authorised members of the group. 
  • All passwords, including initial and/or temporary passwords, shall be constructed and implemented according to the following Kayndrexsphere directives:
    • Shall satisfy all the requirements established in Kayndrexsphere’s authentication standard, including length, complexity, and rotation requirements.
    • Shall be technically related to the account owner by applying things like operator name, nickname, relative’s names, birth date, etc.
    • Should exclude common words, such as applying dictionary words or acronyms.
    • Should be novel from the same passwords as applied for sphere purposes.
  • Password history shall be kept preventing the reapplication of passwords.
  • Unique passwords should be applied for each system, whenever possible.
  • Where other authentication mechanisms are applied (e.g., security tokens, smart cards, certificates, etc.) the authentication mechanism shall be assigned to an individual and physical or logical mechanism shall be in place to ensure only the intended account can apply the mechanism to gain access.
  • Stored passwords are classified as confidential and shall be encrypted.
  • All supplier-provided default passwords should be immediately updated, and unnecessary default accounts removed or disabled before installing a system on the interface.
  • Operator account passwords shall be undivulged to anyone.  Kayndrexsphere’s support personnel and/or contractors should never ask for operator account passwords.
  • Security tokens (e.g., Smartcard) shall be returned on demand or upon termination of the relationship with Kayndrexsphere, if dispensed.
  • If the security of a password is in doubt, the password should be changed immediately.
  • Administrators/Special Access operators should apply Kayndrexsphere’s authentication standard for the sake of ease of operation.
  • Operators should apply password entry with embedded scripts or hard coded passwords in Kayndrexsphere’s software(s).  Exceptions can be made for specific functions (like automated reinforcement) with the approval of Kayndrexsphere’s IT Management.
    • Application/website remembering is allowed for operators
  • If a password management system is employed, it should be applied in compliance with Kayndrexsphere’s authentication standard. 
  • Computing devices left unattended shall enable a password protected screensaver or logging off of the device.
  • Kayndrexsphere’s IT Support password change procedures shall include the following:
    • authenticate the operator to the support desk before changing password
    • change to a strong password
    • require the operator to change password at first login.
  • In the event that an operator’s password is compromised or discovered, the password should be immediately changed, and the security event reported to Kayndrexsphere’s IT support.

Remote Access

  • All remote access connections to Kayndrexsphere’s interfaces will be made through the approved remote access methods employing data encryption and multi-factor authentication for administrative access rights.
  • Remote operators can connect to Kayndrexsphere’s interfaces only after formal approval by the requestor’s manager or Kayndrexsphere’s Management.
  • The ability to print or copy confidential information remotely shall be disabled.
  • Operators granted remote access privileges shall be given remote access instructions and responsibilities.
  • Remote access to Kayndrexsphere’s Data Base shall be logged.
  • Remote sessions shall be terminated after a defined period of inactivity.
  • A secure connection to another private interface is disallowed while connected to Kayndrexsphere’s interface, unless approved in advance by Kayndrexsphere’s IT management.
  • Non-Kayndrexsphere computer systems that require interface connectivity shall conform to all applicable Kayndrexsphere IT standards and shall be connected after prior written authorisation from IT Management. 
  • Remote maintenance of organisational assets shall be approved, logged, and performed in a manner that prevents unauthorised access.  

Supplier Access

  • Supplier access shall be uniquely identifiable and comply with all existing Kayndrexsphere’s policies.
  • External supplier access activity shall be monitored.
  • All supplier maintenance equipment on Kayndrexsphere’s interface that connects to the external world via the system, telephone line, or leased line, and all Kayndrexsphere data resource supplier accounts will remain disabled except when in application for authorised maintenance.

References


Waivers

Waivers from certain policy provisions can be sought.


Enforcement

Personnel found to have disregarded this policy shall be subject to disciplinary action, up to and including termination of employment, and related non-compliance penalties.